Can data protection be used as a quasi "image right"?
The answer to this question, in the UK at least, now appears to be "no".
The UK Supreme Court has rejected an attempt by an individual to bring a class action against Google over alleged breach of data privacy. The decision is likely to be welcomed by technology companies that store and manage personal data of users.
The claim was brought by Richard Lloyd, a former director of Which?, against Google over its tracking of Apple iPhone users during several months in 2011 and 2012. He claimed that Google, as the data controller, could owe £750 to each of 4 million users for alleged violation of the Data Protection Act 1988 (DPA 1988), totalling £3 billion.
Google has already agreed to pay a civil penalty and consumer settlements in the US and against three individuals in the UK regarding the same allegation that was made in this case.
Class action attempt
Lloyd sought in effect to bring a class action, arguing that he was a representative of the other iPhone users, and that compensation could be awarded under the DPA 1988 for “loss of control” of personal data, with a uniform sum for each person. The claim was backed by Therium Litigation Funding IC, a commercial litigation funder.
However, as Google is incorporated in Delaware, US, Lloyd first needed permission to serve the claim outside the jurisdiction of England and Wales.
Lloyd was successful at first instance at the High Court, but that decision was overturned by the Court of Appeal.
On 9 November, after receiving submissions on behalf of the parties, the Information Commissioner and five other intervenors, the UK Supreme Court allowed Google’s appeal against that decision and restored the first instance order (Lloyd v Google LLC).
Damages not available
In a unanimous ruling, authored by Lord Leggatt, the Court said that:
“section 13 of the DPA 1998 cannot reasonably be interpreted as conferring on a data subject a right to compensation for any (non-trivial) contravention by a data controller of any of the requirements of the Act without the need to prove that the contravention has caused material damage or distress to the individual concerned”.
Hence damages were not available in this case.
The Court went on to say that, even if damages were available, the claimant must prove what, if any, unlawful processing of personal data occurred for each individual. This would involve examining issues such as the duration of the tracking, the quantity of data processed, whether it was sensitive or private, what use Google made of it and what commercial benefit the company obtained.
The “starting point” for valuing the wrongful use was to identify the extent of that use: “Only when the wrongful use actually made of by Google of such [personal] data is known is it possible to estimate its commercial value.” The Court therefore decided that, in the absence of the required proof, the claim could not succeed.
However, it did not express a view on whether such commercially funded class actions are desirable – a point on which the High Court and Court of Appeal had strongly disagreed. The decision therefore leaves open the possibility for claimants to try to bring class actions in other data privacy cases with different facts or those brought under the UK GDPR.